Re: ADAM and Windows Address Book

Hi

I tried a repro. of this and found that if SPA is checked then there is an
SSPI logon using the credentials of the logged on account.

It seems the username/password pair is only used if SPA is not checked.
With SPA not checked then there is an LDAP simple bind to the directory
server
so in the case of binding to ADAM the account would need to be a native
ADAM user. Checking SSL results in an LDAP simple bind over SSL.

Lee Flight


"Rich Raffenetti" <raffenetti@xxxxxxxxxxx> wrote in message
news:%23SJmFoh1GHA.4300@xxxxxxxxxxxxxxxxxxxxxxx
Thanks for your response. I have added responses to your questions in the
thread below. I hope my answers will help to resolve the situation.

"Dmitri Gavrilov [MSFT]" <dmitrig@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23JYAcrV1GHA.1568@xxxxxxxxxxxxxxxxxxxxxxx
Yeah, I remember something came up with WAB.
Questions:
Which port is your WAB configured to talk to: LDAP or SSL?

I have tried both. They both fail for authenticated access. For SSL I
have a commercial Entrust certificate. (Note that LDP works with either
389 or 636.) We are interested in using SSL and having authenticated
access.

Are you trying to bind with Windows credentials or ADAM user credentials?

Windows credentials.

Is "logon using secure password authentication" checkbox on or off?

Most testing with SPA checked. See below for detailed results.

When connecting from domain-joined workstation -- please try to logon as
a local admin (non-domain user), and check if it still works.

I've tried from a local admin account on the ADAM server. The event log
shows a failed attempt with the local credentials even though Windows
domain credentials were configured into the WAB. Without the SPA checked,
the message is "The specified directory service has denied access. Check
the properties for this directory service and verify that your
Authentication Type settings and parameters are correct." When I checked
the box for SPA, the message changed to "There are no entries in the
directory that match your search criteria." I check with LDP and the
elements I am searching for are there.

I changed to an administrator account in the domain on the ADAM server and
the same searches obtain the following results. With SPA checked, the
searches succeed. Without SPA checked, the message "The specified
directory..." reappears. This is with both port 389 and 636.


--
Dmitri Gavrilov
SDE, Active Directory team

This posting is provided "AS IS" with no warranties, and confers no
rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Rich Raffenetti" <raffenetti@xxxxxxxxxxx> wrote in message
news:eGVZUP00GHA.2636@xxxxxxxxxxxxxxxxxxxxxxx
I have implemented a domain-based ADAM and have the following problem
accessing it from Windows Address Book in only certain circumstances. I
am doing all of these tests with SSL (port 636). The SSL cert is from a
commercial CA (Entrust) and the root certificate is found in all Windows
systems - as long as they update Root Certificates.

WAB accesses ADAM from a client XP Pro workstation in the domain just
fine.

However, WAB does NOT access the same ADAM from a client XP Pro
workstation that is not in the domain.

LDP connects and binds to the same ADAM fine from the same workstations,
whether or not the XP Pro client workstation is in the domain. The LDP
experiments were also with SSL to port 636.

I found a thread on this issue from May 2006. There was no solution nor
was there any confirmation of this problem. I find the same behavior as
was reported then.

I get the same result when I use port 389 (no SSL).

This seems to be a WAB issue. Any ideas?







.

Relevant Pages

  • Re: ADAM SP1 on Win2K3 SP1
    ... key for the ADAM service account. ... The SSL server credential's certificate does not have a private key ... My general cryptography knowledge tells me only the account used to ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM SP1 on Win2K3 SP1
    ... To use a domain user account as the ADAM service account for SSL communication, I have to request server authentication certificate using that account. ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM SP1 on Win2K3 SP1
    ... LDAP over Secure Sockets Layer (SSL) will be unavailable at this time because the server was unable to obtain a certificate. ... did you restart the ADAM sevice after you added the read permission ... Assuming SSL on ADAM is working fine and i want to use antoher domain user account as the ADAM service account. ... Or I have to go through the entire process starting from requesting certificate all over again to use the new domain user account as the ADAM service account? ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM and Windows Address Book
    ... checking SPA if they aren't going to use them. ... SSPI logon using the credentials of the logged on account. ... ADAM user. ... Checking SSL results in an LDAP simple bind over SSL. ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM and Windows Address Book
    ... Since I need a Windows login, the simple bind is of little interest. ... domain account. ... authentication can take place because ADAM does not authenticate accounts ... Checking SSL results in an LDAP simple bind over SSL. ...
    (microsoft.public.windows.server.active_directory)